CIS Benchmarks for Docker 1.6

ZendPHP and ZendHQ Docker images are hardened to be compliant with CIS Docker Benchmarks v1.6.0. To download the full document as PDF, see CIS Docker Benchmark (cisecurity.org).

We have specifically targeted subsection 4. For the benchmarks in subsections 1 to 3 and 5 to 7, we have summarized the necessary actions for you to take to be compliant.

1 - Host configuration

This section contains recommendations to prepare the host machine that you plan to use for executing containerized workloads. Compliance with these guidelines helps you build a solid and secure foundation when running container workloads.

Linux

1.1.1 Ensure a separate partition for containers has been created

For new installations, create a separate partition for the /var/lib/docker mount point. For systems which have already been installed, use the Logical Volume Manager (LVM) within Linux to create a new partition.

1.1.2 Ensure only trusted users are allowed to control Docker daemon

Remove any untrusted users from the docker group.

Do not create a mapping of sensitive directories from the host to container volumes.

1.1.3 Ensure auditing is configured for the Docker daemon

1. Add rules for the Docker daemon.
   

   For example, add the following line to the /etc/audit/rules.d/audit.rules file:
   

   Copy

   -w /usr/bin/dockerd -k docker

2. Then, restart the audit daemon using the following command:
   

   Copy

   systemctl restart auditd

1.1.4 – 1.1.18 Ensure auditing is configured for Docker files and directories

1. Add a rule for each of the following files and directories:

   • /run/containerd

   • /var/lib/docker

   • /etc/docker

   • docker.service

   • containerd.sock

   • docker.socket

   • /etc/default/docker

   • /etc/docker/daemon.json

   • /etc/containerd/config.toml

   • /etc/sysconfig/docker

   • /usr/bin/containerd

   • /usr/bin/containerd-shim

   • /usr/bin/containerd-shim-runc-v1

   • /usr/bin/containerd-shim-runc-v2

   • /usr/bin/runc

   For example, add the following line to the/etc/audit/audit.rulesfile for each of these files and directories:

   Copy

   -a exit,always -F path=/run/containerd -F perm=war -k docker

2. Restart the audit daemon using the following command:

   Copy

   systemctl restart auditd

General

	Configuration Attribute	Recommended Setting
1.2.1	Container host	Harden the container host
1.2.2	Docker	Keep the version up-to-date

2 - Docker daemon configuration

This section lists the recommendations that alter and secure the behavior of the Docker daemon. The settings that are under this section affectallcontainer instances.

	Configuration Attribute	Recommended Setting
2.1	Docker daemon	Run as a non-root user, if possible
2.2	Network traffic	Restrict between containers on the default bridge
2.3	Logging level	Set to 'info'
2.4	Docker	Allow it to make changes to iptables
2.5	Insecure registries	Do not use
2.6	aufs storage driver	Do not use
2.7	TLS authentication	Configure for Docker daemon
2.8	Default ulimit	Configure appropriately
2.9	User namespace support	Enable
2.10	The default cgroup usage	Must be confirmed
2.11	Base device size	Do not change until needed
2.12	Authorization for Docker client commands	Enable
2.13	Centralized and remote logging	Configure them
2.14	Containers	Restrict them from acquiring new privileges
2.15	Live restore	Enable
2.16	Userland Proxy	Disable
2.17	Daemon-wide custom seccomp profile	Apply, if appropriate
2.18	Experimental features	Do not implement in production

3 - Docker daemon configuration files

This section deals with hardening Docker related files and directory permissions and ownership. Files may contain sensitive parameters and keeping them secure is important for the correct and secure functioning of the Docker daemon.

Identify the following files or directories and ensure that their ownership and permissions are set as shown, or stricter:

File/Directory to Secure	File Ownership	File Permissions
docker.service file	root:root	as appropriate
docker.socket file	root:root	644 or stricter
/etc/docker directory	root:root	755 or stricter
registry certificate file	root:root	444 or stricter
TLS CA certificate file	root:root	444 or stricter
Docker server certificate file	root:root	444 or stricter
Docker server certificate key file	root:root	400 or stricter
Docker socket file	root:docker	660 or stricter
daemon.json file	root:root	644 or stricter
/etc/default/docker file	root:root	644 or stricter
/etc/sysconfig/docker file	root:root	644 or stricter
Containerd socket file	root:root	660 or stricter

4 - Container images and build file

This section contains recommendations for container base images and build files to ensure that your containerized infrastructure is secure.

4.1 Ensure that a user for the container has been created

The Zend team has reviewed all ZendPHP and ZendHQ images. We have removed root privileges on execution and during container run time from users in all images which do not require them.

4.2 Ensure that containers use only trusted base images

ZendPHP and ZendHQ images are based on established and trusted OS base images.

4.3 Ensure that unnecessary packages are not installed in the container

ZendPHP and ZendHQ images use the baseline list of installed software.

4.4 Ensure images are scanned and rebuilt to include security patches

The Zend team scans the ZendPHP and ZendHQ images frequently for any vulnerabilities. In the event of a security vulnerability, the Zend team rebuilds images to include security fixes and republishes them.

4.5 Ensure Content trust for Docker is enabled

Content trust for Docker must be Enabled for ZendPHP and ZendHQ images.

4.6 Ensure that HEALTHCHECK instructions have been added to container images

The Zend team has added HEALTHCHECK instructions to ZendPHP and ZendHQ images.

4.7 Ensure update instructions are not used alone in the Dockerfile

ZendPHP and ZendHQ images have been confirmed to not use update instructions alone in the Dockerfile.

4.8 Ensure setuid and setgid permissions are removed

The Zend team has reviewed all ZendPHP and ZendHQ images. We have removed setuid and setgid permissions from all images which do not require them.

4.9 Ensure that COPY is used instead of ADD in Dockerfiles

The Zend team has confirmed that ZendPHP and ZendHQ images use COPY instead of ADD in Dockerfiles.

4.10 Ensure secrets are not stored in Dockerfiles

The Zend team has confirmed that ZendPHP and ZendHQ images do not store secrets in Dockerfiles.

4.11 Ensure only verified packages are installed

ZendPHP and ZendHQ images use GPG key verification in installations.

4.12 Ensure all signed artifacts are validated

ZendPHP and ZendHQ images are signed, and the signatures are validated before publishing.

5 - Container runtime configuration

This section contains recommendations for starting containers, and which parameters are associated with them. Review the container runtime configuration in line with your organizational security policy.

	Configuration Attribute	Recommended Setting
5.1	Swarm mode	Do not enable, unless needed
5.2	AppArmor Profile	Enable, if applicable
5.3	SELinux security options	Set, if applicable
5.4	Linux kernel capabilities	Restrict within containers
5.5	Privileged containers	Don’t use
5.6	Sensitive host system directories	Do not mount on containers
5.7	sshd	Do not run within containers
5.8	Privileged ports	Do not map within containers
5.9	Ports	Open only needed ports on the container
5.10	The host's network namespace	Do not share
5.11	Memory usage for containers	Limit usage
5.12	CPU priority	Set appropriately on containers
5.13	Container's root filesystem	Mount as read only
5.14	Incoming container traffic	Bind to a specific host interface
5.15	'On-failure' container restart policy	Set to '5'
5.16	The host's process namespace	Do not share
5.17	The host's IPC namespace	Do not share
5.18	Host devices	Do not directly expose to containers
5.19	Default ulimit	Overwrite at runtime if needed
5.20	Mount propagation mode	Do not set to shared
5.21	The host's UTS namespace	Do not share
5.22	The default seccomp profile	Do not disable
5.23	Docker exec commands	Do not use with the privileged option
5.24	Docker exec commands	Do not use with the user=root option
5.25	cgroup usage	Must be confirmed
5.26	Container	Restrict from acquiring additional privileges
5.27	Container health	Check it at runtime
5.28	Docker commands	Always make use of the latest version of the image
5.29	PIDs cgroup limit	Use it
5.30	Docker's default bridge "docker0"	Do not use it
5.31	The host's user namespaces	Do not share
5.32	Docker socket	Do not mount inside any containers

6 - Docker security operations

Best practices to avoid operational security issues associated with Docker deployments.

6.1 - Ensure that image sprawl is avoided

Keep only the images that you actually need. Establish a workflow to remove old or stale images from the host. Additionally, use features such as pull-by-digest to get specific images from the registry.

6.2 - Ensure that container sprawl is avoided

Periodically check your container inventory on each host and clean up containers which are not in active use with the command docker container prune.

7 - Docker Swarm configuration

This section addresses recommendations that alter and secure the behavior of the Docker Swarm. If you are not using Docker Swarm, then the recommendations in this section do not apply. If you have questions, see the CIS Benchmark PDF for details.

	Configuration Attribute	Recommended Setting
7.1	Manager nodes	Create a minimum number in a swarm
7.2	Swarm services	Bind to a specific host interface
7.3	Docker swarm overlay networks	Encrypt them
7.4	Docker's secret management commands	Use for managing secrets in a swarm cluster
7.5	Swarm manager	Run in auto-lock mode
7.6	Swarm manager auto-lock key	Rotate periodically
7.7	Node certificates	Rotate as appropriate
7.8	CA certificates	Rotate as appropriate
7.9	Management plane traffic	Keep separate from data plane traffic